Attackers have been exploiting the Apache ActiveMQ Vulnerability to steal data and install malware constantly.
Using the Apache ActiveMQ remote code execution vulnerability, the Andariel threat group was found to be installing malware last month.
Researchers have now discovered new attacks that installed Ladon, NetCat, AnyDesk, and z0Miner.
A remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and integration pattern server, is identified as CVE-2023-46604.
The vulnerability attack involves manipulating a serialized class type in the OpenWire protocol to instantiate the class in the classpath.
When the threat actor sends a modified packet, the susceptible server uses the path in the packet to load the XML configuration file for the class.
Researchers examine that the latest attacks that have installed malware such as Ladon, NetCat, AnyDesk, and z0Miner.
One of the tools that threat actors who speak Chinese typically employ is Ladon.
Ladon provides several features required for the attack procedure.
Reverse shell, scanning, privilege escalation, and account credential theft are some of the main characteristics.
Once it was established that a vulnerable version of the Apache ActiveMQ service was being utilized, they downloaded Ladon and executed additional commands using the PowerShell command.
The reverse shell is executed using the ReverseTCP command, and Netcat was utilized to do this.
Using the TCP/UDP protocol, Netcat is a utility for sending and receiving data to and from specific targets within a network.
It may also be said that network managers regularly utilize it because it provides a variety of functions for network testing, but threat actors can also take advantage of it.
The threat actor installed AnyDesk after installing Netcat in the recently discovered attack.
Attack efforts using XMRig CoinMiner have also been observed recently.
To stop attacks that make use of known vulnerabilities, system administrators need to verify if the Apache ActiveMQ service they are using is one of the vulnerable versions and install the most recent updates.
Finally, caution should be exercised by updating V3 to the most recent version to prevent malware infection in advance.
This Cyber News was published on gbhackers.com. Publication date: Tue, 19 Dec 2023 09:43:05 +0000